Which? calls for change in law to protect consumers, as almost one in 10 think their data has been hacked

24 October 2017

New research from Which? reveals that almost one in 10 (8%) people who have shared their details online believe they have been subject to a data breach in the last year, with three quarters (73%) concerned that the information they have shared could be at risk of a leak.

The research also found general confusion around current data protection rules, including who is responsible for protecting consumers’ data and how consumers can seek redress if things do go wrong. As many as one in five (20%) consumers said that they would not know how to claim redress following a data breach, with a fifth (22%) saying they would not know who is responsible for helping them when data is lost.

Although people currently have the right to redress when there is a data breach, if the company at fault has acted negligently and does not offer adequate support or redress, the only option currently available to consumers is a lengthy and potentially expensive route via the courts.

Which? is now calling on the Government to do more to ensure consumers do not lose out when their data is compromised. The consumer champion wants the Data Protection Bill, which is being currently debated in Parliament, to be amended so that independent organisations acting in the public interest can help groups of affected consumers to get collective redress.

The call is widely supported by the public, with three quarters (74%) of those surveyed saying they would welcome an independent body helping to get redress on a collective basis.

“Data breaches are now more commonplace and yet many people have no idea what to do or who to turn to when their personal data is compromised.

“The Government should use the Data Protection Bill to give independent bodies the power to seek collective redress on behalf of consumers when a company has failed to take sufficient action following a data breach.”

Advice for consumers affected by a data breach

If you are affected by a data breach, make sure you:

Change any related passwords

Keep an eye on your bank accounts and report any unusual activity to your bank

Claim compensation by complaining to the company that lost your data

You can also take your concerns with how the organisation processed your data to the Information Commissioner’s Office (ICO)

The Consumer Rights Act 2015 introduced a collective actions regime for breaches of competition law, allowing organisations such as Which? to bring actions on an opt-out basis. Contingency fees for lawyers are banned and the Act prescribes a process for the specialist Competition Appeal Tribunal to “certify” actions at the outset.

The Data Protection Bill aims to strengthen current UK regulations and ensure that the UK remains compliant with EU law by implementing the EU General Data Protection Regulation (GDPR), which is due to come into force in May 2018. Article 80(2) of the GDPR allows for independent organisations acting in the public interest to bring collective redress actions on behalf of consumers for breaches of data protection rules. However, the UK Government has opted not to include this provision in the Data Protection Bill.